Dell Venue 11 pro (7139) as a Linux Tablet – with full disk encryption !

I can’t stomach the “telemetry” in Windows 10, and wanted a cheap hybrid laptop / tablet for when I go travelling.  I really love the concept of the Dell Venue 11, and managed to pick up a mint condition second hand i5/250gig/8gig model – replete with keyboard and docking station for NZ$400 including shipping.

A couple of years ago I previously struggled to get an i3 model working with Linux touch-screen and WIFI, and I’m quite happy with how far things have come – All the hardware worked out of the box on Ubuntu 16.04.2 (Partly, I suspect, due to the Intel AC WIFI adaptor the unit came with) – unfortunately it did not work well as a tablet.

There are 2 enhancements I’ve implemented which I believe will make the unit a usable tablet –

Full Disk Encryption

Credit where its due: The idea came from https://ranzbak.nl/tpmluks/ which I used as a starting point – unfortunately it required quite a bit of work (particularly extracting initrd and rebuilding it is probably not ideal, and sha1 – while not fantastic, is probably better then using md5 hashes and TPM is based on sha1 hashes.    Also the provided diffs did not work and the PCRs are in a different place)

While its easy enough to enable FDE when setting up Linux, it requires a keyboard to enter the passphrase, however the system does have an onboard keyboard for for entering a (BIOS) password.    Leveraging TPM its possible to set a boot password in the BIOS, and then use TPM to ensure the disk is encrypted.

First step is to take control of tpm:

apt-get install tpm-tools trousers

tpm_takeownership

In order to do this some modifications are needed in the initrd files.  The idea here is to use a hash of the TPM PCRs – which should be unique to the device to decrypt the disk if available (If not,we can always fall back to a regular passphrase).

Here are the diff (For Linux 16.04) which has the appropriate changes (and a downloadable replacement cryptroot file) – it more-or-less replicates the code block starting at line 311 with an additional block to check if the TPM is enabled and to try and mount the system using it if it is.
298a299,311
> # Attempt to decrypt using PCRS
> if [ -e /sys/class/tpm/tpm0/device/pcrs ]
> then
> sha1hash=`cat "/sys/class/tpm/tpm0/device/pcrs" | sha1sum | cut -f1 -d' '`
> if [ ! -e "$NEWROOT" ]; then
> if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
> echo $sha1hash | $cryptopen; then
> message "cryptsetup Invalid TPM hash ($sha1hash)"
> continue
> fi
> fi
> fi
>

 

This also required the addition of 2 files to the initrd – sha1sum and cut.   To add these, find the lines “copy_exec” near the bottom of /usr/share/initramfs-tools/hooks/cryptroot and add

copy_exec /bin/cut

copy_exec /usr/bin/sha1

Then run “update-initramfs -u” to rebuild the inittab file for your kernel.

You will also need to add the sha1 passphrase to your LUKS device (in an unused keyslot.  (My LUKS device is /dev/sda3).  There is no doubt a better way to do this, but I simply did this:

cat /sys/class/tpm/tpm0/device/pcrs | sha1sum | cut -f1 -d” “

This produced a rather long string which represents a hash of the pcrs and what we use as a passphrase – it should be unique to the system.

I then set this by copying-and-pasting the passphrase into the second slot using the command

cryptsetup luksAddKey /dev/sda3 -S1

Note that S1 is slot 1 (second slot – the first one is lot 0).  There are 8 slots you can use.

Note:  This is not as secure as using FDE directly – one attack would be for someone to “borrow” the system, remove the ssd,  install a compromised initrd file, replace the drive, wait for you to enter your phrase and then they will have the hash which can be used for FDE.    Of-course, this is not significantly different to someone putting a keylogger on your system – and does provide protection if a thief simply steals the device.

Onscreen Keyboard on login –

Although it should work, it appears that the “Onboard” keyboard does not correctly work with the default lightdm manager.   I eventually discovered that replacing it with gdm3  (apt install gdm3) fixed it.  A gotcha – You need to reboot the system after installing GDM3 – not just log out and in again.

OTHER:

I subsequently needed to do something similar with a Dell Latitude 7200 using Ubuntu 20.04 and TPM2.  I found instructions at https://run.tournament.org.il/ubuntu-20-04-and-tpm2-encrypted-system-disk/